Hello and welcome to the Friday, March 17th, 2017 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

German security company SEC Consult did release details about rather easy to exploit vulnerability in various ubiquity equipment.

Epicvity makes a lot of wireless equipment, a lot of carrier equipment as well. This bug does affect

a lot of the point-to-point link systems and the like. There's a long list of vulnerable devices in the advisory.

It does, by the way, not affect the very popular Unify line of equipment that is also being sold by Obiquity.

Now, this particular vulnerability takes advantage of really two flaws.

First of all, these devices do run a very outdated version of PHP,

PHP version 2.

Now, this version of PHP makes it relatively easy to inject commands into PHP code.

That is being exploited here, but in itself this may not have been really all that bad,

given that you have to authenticate.

The second problem here is that there is no cross-site request forging protection.

So a victim would log in to one of these devices not log out and then visit a website

that would trick the victim's browser into injecting a command into the Big Viti device.

There is proof of concept, exploit code out there, and demo videos that demonstrate how this can be used to install a shell, a remote shell, on these vulnerable devices.

No patch from Obikvety at this point, and sadly, Obiquity seems to have bunged a little bit the response to the vulnerability report

here. It was originally reported via Hacker 1, a bug bounty site that Obiquity participates in last November.

And Darknet Intelligence Company, Six Gill is reporting about an interesting new remote access tool for

Mac OS.

Apparently, it's being offered for sale on underground forums.

...